From 5314b13a8d5126b31b01ed8afe408f26da139994 Mon Sep 17 00:00:00 2001
From: Danil Chapovalov <danilchap@webrtc.org>
Date: Tue, 26 Nov 2019 10:13:07 +0100
Subject: [PATCH] Fix undefined-shift in RtpDepacketizerAv1::AssembleFrame

Bug: chromium:1028348
Change-Id: I824e84138acbf4e73fc21ee8248e29e5cc7a0ba0
Reviewed-on: https://webrtc-review.googlesource.com/c/src/+/160643
Reviewed-by: Sam Zackrisson <saza@webrtc.org>
Commit-Queue: Danil Chapovalov <danilchap@webrtc.org>
Cr-Commit-Position: refs/heads/master@{#29945}
---
 modules/rtp_rtcp/source/rtp_depacketizer_av1.cc                | 3 ++-
 test/fuzzers/BUILD.gn                                          | 1 +
 .../av1-assemble-frame-0                                       | 1 +
 3 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 test/fuzzers/corpora/rtp-depacketizer-av1-assemble-frame-corpus/av1-assemble-frame-0

diff --git a/modules/rtp_rtcp/source/rtp_depacketizer_av1.cc b/modules/rtp_rtcp/source/rtp_depacketizer_av1.cc
index 45122dac48..52c62f87ab 100644
--- a/modules/rtp_rtcp/source/rtp_depacketizer_av1.cc
+++ b/modules/rtp_rtcp/source/rtp_depacketizer_av1.cc
@@ -311,7 +311,8 @@ bool CalculateObuSizes(ObuInfo* obu_info) {
         return false;
       }
       leb128_byte = *it;
-      obu_size_bytes |= (leb128_byte & 0x7F) << (size_of_obu_size_bytes * 7);
+      obu_size_bytes |= uint64_t{leb128_byte & 0x7Fu}
+                        << (size_of_obu_size_bytes * 7);
       ++size_of_obu_size_bytes;
       ++it;
     } while ((leb128_byte & 0x80) != 0);
diff --git a/test/fuzzers/BUILD.gn b/test/fuzzers/BUILD.gn
index 7acbf023e2..7e81d56452 100644
--- a/test/fuzzers/BUILD.gn
+++ b/test/fuzzers/BUILD.gn
@@ -550,6 +550,7 @@ webrtc_fuzzer_test("rtp_depacketizer_av1_assemble_frame_fuzzer") {
   sources = [
     "rtp_depacketizer_av1_assemble_frame_fuzzer.cc",
   ]
+  seed_corpus = "corpora/rtp-depacketizer-av1-assemble-frame-corpus"
   deps = [
     ":fuzz_data_helper",
     "../../api:array_view",
diff --git a/test/fuzzers/corpora/rtp-depacketizer-av1-assemble-frame-corpus/av1-assemble-frame-0 b/test/fuzzers/corpora/rtp-depacketizer-av1-assemble-frame-corpus/av1-assemble-frame-0
new file mode 100644
index 0000000000..540a770e29
--- /dev/null
+++ b/test/fuzzers/corpora/rtp-depacketizer-av1-assemble-frame-corpus/av1-assemble-frame-0
@@ -0,0 +1 @@
+ф0яяяёёё
\ No newline at end of file